When protecting your website against hacks or accidental file corruption, there are two main areas to consider. First, you’ll need to secure your actual website. However, your site’s server is another potential access point, which hackers can use to locate personal information and cause major issues (such as file corruption).
Therefore, by securing your server in addition to your website, you can vastly improve your website’s functionality and your visitors’ viewing experience. In addition, you can protect other sites running on the same server. This is just as crucial a consideration as any on-site security technique.
In this post, we’ll discuss the topic of server security in more detail. This will include an exploration of what it is and why it’s important. Then we’ll offer three server-side security tips you can use to protect your servers from attacks and further secure your website. Let’s get started!
What It Means to Secure Your Server (And Why It’s Important)
In a nutshell, a web server is a system on which your website runs. It works by sharing your website’s information with any browser that requests it and is permitted access. Theoretically, your server also ensures that there are no interruptions or delays in service.
However, in reality it is of course possible for interruptions to occur. This is especially true when your server is unprotected, putting both your website and any others that run on it at risk. The potential results can include malicious attacks, file corruption, and data deletion.
That’s why server-side security is so crucial. You’ll need to take measures to protect your website’s host server. In contrast to on-site measures, server-side security tips focus on more technical aspects such as source code and configuration files. They’re important, however, because:
- Web servers hold a lot of private information, such as usernames and passwords. With this information, hackers can access all sites on the server.
- Web servers protect crucial data and site files. If these are lost in the event of a hack, your website will no longer be functional.
Essentially, server-side security can help you build a strong and protected foundation for your website. This will be beneficial for your business, but also for User Experience (UX) and visitor trust.
3 Server-Side Security Tips to Keep Your Website Safe
There are many methods you can use to protect your website from outside hacking attempts. One technique is to consistently make website backups, which enable you to save your site’s latest data in the event of a break-in or file corruption. However, you’ll also want to consider implementing the following server-side security tips.
1. Harden Your wp-config.php File to Protect Database Information
Your WordPress website contains various ‘core’ files, all of which are required for it to function properly. One such file is wp-config.php, and it contains crucial database information, including details about your host and login credentials. Since it holds such valuable information, this file is a common target for hackers. If they manage to gain access to your database’s back end, you could end up dealing with file corruption or deletion, or even the injection of active malware.
Hardening (or securing) the wp-config.php file ensures that your database information is inaccessible to those who mean harm. While it doesn’t stop hackers completely, it can add a needed layer of security. The method we recommend is moving this file away from the default (i.e. public) location, so that it’s harder to find.
Accessing the wp-config.php file will require the use of a file manager, and for that we recommend FileZilla. You’ll need a few pieces of information to log in to this tool, but they can be easily obtained from your host. Once you’ve connected successfully, you’ll see four main panels. The panel to the bottom right contains all your current website files.
Click on the folder that’s named after your website, and then select wp-config.php:
To move the file, click and drag it to the top of the FTP panel. There, you’ll see a folder that’s simply titled “…”. Drop the wp-config.php file into it:
This action removes the wp-config.php file from public view, which ensures that your database information can no longer be accessed by anyone who manages to hack their way in. For further protection, you can even set permissions that disallow anyone who’s searching for the file from viewing it at all.
2. Disable XML-RPC to Prevent DoS Attacks
Simply put, XML-RPC is a protocol that enables you to gain remote access to your WordPress website. This is commonly used by sites that have any mobile or outside application attached, as long as it uses an Application Programming Interface (API) in order to connect.
The most obvious reason to disable this protocol is that it offers hackers another point of access, which is always something to avoid. Such an access point opens the door to a Denial-of-Service (DoS) attack, which is used by hackers to flood your server and make your website unavailable to visitors.
In WordPress, XML-RPC is a default setting. There is a manual way to disable XML-RPC, although we recommend the use of a plugin instead. This will speed up the process, and make it possible for even beginners to complete safely. You have a few plugins to choose from, but a popular option to start with is WP Hide & Security Enhancer.
To disable the protocol, you’ll first need to install the plugin on your website, then go to WP Hide > Rewrite > XML-RPC. From here, go to Block default xmlrpc.php, and change the setting there to Yes:
Keep in mind that disabling XML-RPC will mean that some plugins (such as Jetpack) will no longer work with your site. However, it also means that your server will be protected from unauthorized outside access through this potential security hole. As such, the trade-off can be worth it unless your site relies on certain plugins in order to function.
3. Hide Your WordPress Version to Keep Vulnerabilities Unexposed
As a security-focused Content Management System (CMS), WordPress updates its underlying code on a regular basis. These changes often include security patches and functionality improvements, and can be big or small. Either way, they all come with a version number attached.
By default, the version of your WordPress website can be found within your website’s source code. If this information falls into the wrong hands, however, it can be used to exploit the known vulnerabilities of that particular version. For this reason, the last of our server-side security tips is to hide this detail from public view.
To do this, you’ll again need to use a file manager, such as FileZilla. Open the manager, and locate the functions.php file within your website’s theme’s folder (go to your website’s name > wp-content > themes > your site’s current theme). Right click on this file, and select View/Edit.
Next, you’ll need to add this line to the very end of the file:
Don’t forget to save your changes:
Once you’ve saved the file, refresh your website. Your site’s WordPress version will no longer be visible in your source code. This makes it more difficult for hackers to find and exploit your site’s potential vulnerabilities.
When you secure your website, the goal is to prevent hackers from gaining access at a local level. However, safeguarding your server from attack is just as important. With certain server-side security tips in place, you can keep your website safe and prevent anyone from stealing valuable information or making changes without your approval.
In this post, we’ve discussed the importance of server-side security measures. We’ve also offered three tips to help you start implementing these measures immediately. To quickly recap, they are:
- Harden your wp-config.php file to protect database information.
- Disable XML-RPC to prevent DoS attacks.
- Hide your WordPress version number to keep vulnerabilities unexposed.
Do you have any questions about these server-side security tips, or how they can help you protect your WordPress website? Let us know in the comments section below!
Image credit: Pixabay.